Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Allow vpn client down a site to site tunnel from router A to router B (http://www.velocityreviews.com/forums/t628181-allow-vpn-client-down-a-site-to-site-tunnel-from-router-a-to-router-b.html)

tweety 07-29-2008 07:23 PM
Allow vpn client down a site to site tunnel from router A to router B
 
Hi there,

I was wondering if the following is possible?

I am terminating a vpn client ( pool 10.10.10.0 /24 ) onto router A
and allowing access to 192.168.100.0 /24 , this is router A's local
lan. Router A also has a site to site VPN to router B. This is from
net 192.168.100.0 /24 to 192.168.200.0 /24 This is as follows.....

Remote Client 10.10.10.0 /24
|
|
192.168.100.0 /24>>Router A>><<Router
B<<192.168.200.0 /24

Is there anyway that the remote client would be able to go down the
Site to site VPN and see Router B's lan?

I am looking fo the remote clients to be able to access resources on
Router B's lan.

Thanks for any help or pointers anyone can provide.

Andrew

Uli Link 07-31-2008 10:49 AM
Re: Allow vpn client down a site to site tunnel from router A torouter B
 
tweety schrieb:
>
> I am terminating a vpn client ( pool 10.10.10.0 /24 ) onto router A
> and allowing access to 192.168.100.0 /24 , this is router A's local
> lan. Router A also has a site to site VPN to router B. This is from
> net 192.168.100.0 /24 to 192.168.200.0 /24 This is as follows.....
>
> Remote Client 10.10.10.0 /24
> |
> |
> 192.168.100.0 /24>>Router A>><<Router
> B<<192.168.200.0 /24
>
> Is there anyway that the remote client would be able to go down the
> Site to site VPN and see Router B's lan?
>
> I am looking fo the remote clients to be able to access resources on
> Router B's lan.

On Router B there must be a route to 10.10.10.0/24 via the tunnel to
192.168.100.1 (or better use the ip of the tunnel interface of Router A
facing to Router B), so traffic from LAN B back to the VPN client is
finding it's way.

Perhaps you may consider the tunnel between Router A and Router B a GRE
over IPsec tunnel instead of pure IPsec which cannot use a routing
protocol. With the old crypto map syntax and static routes it is also
possible but config will soon become quite ugly.
Beware the execution order of NAT, Firewall and IPsec encryption.

--
Uli

desperado618 08-03-2008 10:43 PM
I am interested in viewing the configuration if you get this working
 
I have been asked this several times and always ended up doing some very creative routing. Hairpinng will also need to be turned on since Clients from Router A and the VPN to Router B are behind the same interface.

If split tunneling is not turned on for the client VPN, all traffic will be allowed to the internet with Hairpinning turned on since interface acls will not be applied.

I honestly don't think this will work, however I wish you luck and look forward to your results.

www.netleets.com
IT Security News, Forums, and Information,in plain english


All times are GMT. The time now is 06:47 AM.

Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57